VPN vs VNC : is there much of a difference for average user ?

Question

VPN vs VNC : is there much of a difference for average user ?

Hi there,

Been deploying a Snow Server to learn and for a few friends to use and has been fun and a blast to learn.

So to acess my server, either two options : straight VNC ( or screen sharing ) or encapsulated via VPN.

Pros with VPN :

Safer ( but how much safer )

Troublesome to deploy ( been tinkering with it, can't acess it via outside yet, opened ports everyone but still a no go )

Cons :

Slower

Is VNC that much insecure ? Is it a risk to leave it open to the internet ?

Posted on May 7, 2011 1:14 PM

Reply

Answer 1

Camelot

Level 9

58,647 points

May 7, 2011 11:54 PM in response to Goncalo Proenca

VNC is horribly insecure. Horribly.

By default VNC has a single password - no username or anything required. There's no tracking of failed attempts, or lockouts after x tries, so any hacker can just pound away at your unprotected server until he gets in. icky, icky.

Spend a little more time working out your VPN connection issues and you'll sleep better at night.

(incidentally, I think most users wouldn't notice the difference of VNC over VPN vs no VPN. The bottleneck is likely to be WAN bandwidth more than encryption/decryption speeds).

Reply

Answer 2

May 8, 2011 5:15 AM in response to Camelot

Camelot,

thanks for your thoughts, really helpfull.

to be honest, I made "peace" with VPN : restarted everything from the beggining, opened the ports in the firewall, exported the file that the server does and... everything is working : iPhones, iPads and several laptops are connecting via VPN with zero problems. Once their in, everything is a doodle.

Now, what about Screen Sharing ( the built in for the Macs ) vs VPN ? VPN still holds better security correct ? Since it has username+password+shared secret.

Thanks again,

GP

Reply

Answer 3

Camelot

Level 9

58,647 points

May 10, 2011 1:53 PM in response to Goncalo Proenca

Don't get into the trap of thinking you need VPN or VNC. That wasn't the point of my post.

They are two distinctly different elements in your network.

What I was intending was that you should never, ever consider public VNC access to the server. Ever.

If you implement a VPN then that gives your remote system a secured channel to your LAN, and then it's OK to use VNC - as long as the VNC connection is established over the VPN link. Now you're using the VPN to provide a level of authentication that VNC lacks.

In general the rule you should follow is that any service that you want the general public to access (such as a public web server, your SMTP server (so you can accept incoming mail) should be setup with port forwarding rules in your router/firewall. Any other service should be restricted to the LAN, with a VPN to provide remote access for the users that need it.

If you follow this premise it's clear that you don't want the general public poking around your VNC server, therefore it should not be exposed (e.g. via port forwarding), and you leave it up to the VPN to enable such access.

Reply

Answer 4

May 10, 2011 7:23 PM in response to Camelot

thank you again Camelot !

Well spent a few hours reading and reading and trial and error but now I have :

only couple of services available to the "outdoor", mainly imap + web + VPN

firewall configured that only accepts VNC / Screen Sharing requests IF they come from inside the network

VNC running

That means that if an outside user wants to connect from outside ( internet ) , he must login via VPN and then only afterwords he can use VNC to acess the server ( well usually me, but now at least I sleep safer 🙂 )

Reply